Today, October 3rd, is a special day in Berlin: the Day of German Unity. It’s a public holiday that celebrates the reunification of Germany, when the former East Germany joined West Germany.
The Issue
Cloudflare chose the same day to release some features because it was their birthday week. Everything started when the analytics team noticed too many clicks on the affiliate links (it’s really good news, right?), but the conversion rate was way off. So they began investigating and communicated the issue to the tech team.
Investigation
In the backend team, the data flow and app logics were checked to ensure there were no issues. Everything appeared clear, so attention turned to the frontend. Based on product changes and the git log, no updates had been made to the codebase recently that could result in double-click or unwanted click issues. Debugging began to try to understand the problem.
Finding the Cause
After some time, one of our backend developers was able to replicate the scenario on his computer. Most of the devs could not reproduce it, so we started to investigate on the backend developer’s machine: it was a prefetch request coming from the root document. It was clear that there hadn’t been any prefetch configured for the affiliate links.
Finally, we discovered that the prefetch was triggered by Cloudflare. The reason for this was unclear, so we reviewed the Cloudflare blogs and settings. It turned out they had launched a beta feature called Speed Brain, which enables prefetch similar to next/navigations. In simple terms, when the user hovers the mouse over any link, it fetches the link content in the background to improve page performance. Great feature, but it was enabled for all free Cloudflare accounts, which created unintended issues.
Resolution
After disabling Speedbrain, the conversion rate and click count returned to normal.
Takeaway
Being aware of updates and changes from third-party services, like Cloudflare, can help anticipate potential impacts on your own systems.
Beyond monitoring, it’s worth hardening affiliate links so prefetchers, crawlers, and accidental double-clicks can’t inflate your numbers in the first place. A plain <a href="..."> is fair game for any prefetch or bot that decides to fetch it, so the goal is to make a click require an actual, intentional user action.
A few practical defenses:
- Render links as JS-based actions instead of raw hrefs. Keep the real destination out of the
hrefand resolve it only on a genuine click. Prefetchers follow what’s in the markup, so if it isn’t there, there’s nothing to prefetch.
<a
href="#"
rel="nofollow noopener"
data-affiliate="https://partner.example.com/track?id=123"
onclick="goToAffiliate(this); return false;"
>
View deal
</a>
<script>
function goToAffiliate(el) {
// Only navigates on a real user click, not on hover/prefetch.
window.location.href = el.dataset.affiliate;
}
</script>- Add
rel="nofollow"so well-behaved crawlers skip the link, and avoid resource hints like<link rel="prefetch">orprefetchon these URLs. - Route clicks through your own redirect endpoint (e.g.
/go/:id) and count a click server-side only for real navigations — ignoreSec-Purpose: prefetch/Purpose: prefetchheaders and known bot user agents. - De-duplicate on the backend by throttling repeated hits from the same session within a short window, so a stray prefetch or double-click is recorded once at most.
With the link resolved on intent and the redirect endpoint filtering out prefetch and bot traffic, a feature like Speed Brain can’t quietly distort your conversion data again.